Summary of Meeting with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2

ML13329A417
Person / Time
Site:	Diablo Canyon
Issue date:	12/30/2013
From:	Jennivine Rankin Plant Licensing Branch IV
To:	Pacific Gas & Electric Co
Rankin J
References
TAC ME7522, TAC ME7523
Download: ML13329A417 (25)
v • d • e

Text

LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Unit Nos. 1 and 2

SUBJECT:

SUMMARY

OF OCTOBER 31,2013, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523)

On October 31, 2013, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.

The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.

Highlights from this meeting on October 31, 2013, include the following:

• The project plan for the review of the LAR (Enclosure 3) was discussed and the major upcoming milestones were confirmed. The project plan will be updated as appropriate and discussed at the next public meeting.

• The NRC staff stated that it should be issuing a third round of requests for additional information (RAis) by December 2013. Once the RAis are issued, the items identified in Enclosure 2 as needing RAis will be closed and removed from the open item tracking list. This is because the RAis themselves will be used to track the closure of the issue.

• The NRC staff discussed the need for PG&E to provide the remaining set of Phase 2 documentation per commitments that were made in the LAR. PG&E took an action to update the NRC staff in the next several weeks on when the Phase 2 documentation is expected to be submitted.

Please direct any inquiries to me at 301-415-1530 or at Jennivine.Rankin@nrc.gov.

tn YUJ- f?c~v~'

Jennivine K. Rankin, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. Staff Identified Issues That are Open

3. Project Plan cc w/encls: Distribution via Listserv

LIST OF ATTENDEES OCTOBER 31. 2013. TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT. UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NAME ORGANIZATION K. Schrader Pacific Gas and Electric S. Patterson Pacific Gas and Electric A. Wilson Pacific Gas and Electric J. Hefler Altran R. Lint Altran E. Quinn Altran K. Durinsky Westinghouse P. Sirianni Westinghouse W. Odess-Gillet Westinghouse P. Tyrpak Westinghouse D. Head lnvensys M. Herschthal lnvensys Rich Stattel Nuclear Regulatory Commission (NRC)

Samir Darbali NRC Rossnyev Alvarado NRC Shiattin Maker NRC Jennie Rankin NRC Gordon Clefton Nuclear Energy Institute Enclosure 1

October 31, 2013 DCPP PPS Open Item Summary Table Page 1 of 18 No Src!RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date) 60 RJS Open RAI39 10/24/13 - RJS (STSB/ Technical Specifications: Reviewed the APLA) evaluation In order for the staff to make a determination that the existing document.

technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the Carl Schulten is ALS!Tricon PPS system reliability and performance characteristics taking over for with those of the Eagle 21 system must be performed by PG&E. Christy.

Information sent to Karl. Awaiting Please provide an evaluation summary report to support the feedback.

application of existing technical specification and surveillance test intervals to the upgraded ALS!Tricon based PPS system. This summary report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance test intervals. This report should also include a qualitative (i.e., deterministic) analysis which describes the self diagnosis and fault detection features of the replacement PPS. In addition, this summary report should address the staff's previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31, 2005 (ML050330315).

PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals is contained in the Westinghouse Document, "Justification for the Application of Technical Specification Changes in WCAP-14333 and WCAP-15376 to the Tricon/ALS Process Protection System" that was submitted in Attachment 9 to the Enclosure of PG&E Letter DCL-13-016 dated March 7, 2013. The document provides a qualitative comparison of features important to the reliability of the Tricon and ALS subystems and the Eagle 21 system, evaluates the applicability of the WCAP-14333 P A, Revision 1, and WCAP-15376-P-A, Revision 1, analyses to the PPS replacement configuration, and evaluates the compliance with the staff conditions and limitations contained in the NRC safety evaluations for WCAP-14333 and WCAP 15376 and Enclosure 2

October 31, 2013 DCPP PPS Open Item Summary Table Page 2 of 18 No Src/RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date)

Section 4. 3 of the Amendments 179 and 181.

85 RJS What security measures will be implemented to the MWS so that the MWS Open NoRA! 10/24/13 - RJS NSIR is consistent with NEI 08-09, Appendix 0.1.1? Explain the statement that Discuss closure of access to the maintenance workstation will be consistent with the NEI 08- this item at 10/31 09, Appendix D.1.1. Additionally, explain whether security measures to be Call.

implemented include technical and operational security design measures incorporated into the system. 7/29/2013: NSIR to determine if the PG&E Response: Installation of the PPS replacement is scheduled for response provided September 2015 and assessment of the whole PPS replacement system, is sufficient.

including the maintenance workstation, as prescribed in section 3 of the Diablo Canyon CSP, will begin in April 2013. A preliminary assessment has been performed and required measures to be implemented by the vendors in the maintenance workstation was provided to the NSIR audit team during the August 6-8 onsite audit. The final assessment to determine security measures for the maintenance workstation, consistent with NEI 08-09 Appendices D and E, that need to be applied will be performed as part of the design change for the PPS replacement that will be performed following NRC approval of the PPS replacement LAR.

86 RJS/ PG&E stated in its letters DCL-11-123 that security features and controls Open No RAI 10/24/13- RJS NSIR are being incorporated in the PPS replacement to ensure that the system is How will formal fully compliant with 10 CFR 73.54 cyber security requirements, while also response be ensuring that the security features and controls do not interfere with the submitted if not reliable performance of the safety functions. Additionally, the enclosure to through RAI?

letter DCL-11-104 states the following:

During 6/26 call,

• the PPS replacement is being reviewed to comply with 10 CFR PG&E provided a 50.73, the DCPP CSP, and NEI 08-09, "Cyber Security Plan for brief summary of Nuclear Power Reactors," Revision 6, dated April 2010 the response for

• the PPS replacement has been designed to meet the RG 5.71, this item. A formal Revision 0, "Cyber Security Programs for Nuclear Facilities," dated response will be January 2010 submitted later.

October 31, 2013 DCPP PPS Open Item Summary Table Page 3 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Section 4.2.2 "Cyber Security Impact Analysis of Changes and Environment" of the NRC-approved DCNPP Cyber Security Plan states the following:

• a cyber security impact analysis is performed prior to making a design or configuration change to a CDA

• these impact analyses are performed as part of the change approval process to assess the impacts of the changes on the cyber security posture of CDAs and systems that can affect SSEP functions

• cyber security related issues identified during the change management process are addressed within the change management process, and therefore are not handled by the Corrective Action Program

• risks to SSEP functions, CDAs, and CSs are managed through ongoing evaluation of threats and vulnerabilities and by addressing threat and attack vectors associated with the cyber security controls provided in Appendices C and E of NEI 08-09, Revision 6, during the various phases of the life cycle Section 4.2 "Cyber Security Control" of the Cyber Security Plan states that the security control described in Appendices D and E of NEI 08-09, Revision 6, are evaluated and dispositioned based on site specific conditions during the establishment of risk baselines, during on-going programs, and during oversight activities. Additionally, it states that cyber security controls are used to protect CDA s within the scope of the rule.

Finally, Section 11, "System and Service Acquisition," of Appendix E of NEI 08-09, Revision 6, provides security controls associated with CDA vendors and developers.

Based on the above, explain how PG&E implemented (will implement) the security measures described in the NRC-approved DCNPP Cyber Security Plan for the PPS digital upgrade. Explanations should include discussions on the following:

• The method that PG&E used (will use) to perform cyber security

October 31, 2013 DCPP PPS Open Item Summary Table Page 4 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) impact analysis for the proposed PPS digital upgrade. The discussion should include explanations of the following:

0 qualifications of people who performed (will perform) the cyber security impact analyses 0 methods used (will use) to address security controls I provided in its NRC-approved Cyber Security Plan 0 results of security impact analysis, including discussion on how each of the security controls provided in its CSP are addressed

• The method that PG&E used (will use) to determine where the technical security controls identified above bullet are applied within the updated PPS.

• The method that PG&E used (will use) to engage with the PPS replacement vendors to identify and provide security requirements for the development facilities and development process to comply with security controls provided in the following subsections of Section 11 of Appendix E of NEI 08-09:

0 Section 11.2 "Supply Chain Protection" -- Requirements for protecting against cyber-related supply chain threats and to maintain the integrity of acquired ALS platform components.

0 Section 11.3"Trustworthiness" -- Requirements for the method used (will use) (i.e., software quality and validation methods) to minimize flawed or malformed software in the developing PPS.

0 Section 11.4 "Integration of Security Capabilities" --

Requirements for documenting the security design information and/or the capabilities for the PG&E to effectively configure, operate, and maintain the acquired PPS.

0 Section 11.5 "Developer Security Testing"-- Requirements for testing the developed PPS to verify that it meets specified security requirements and is free from known testable vulnerabilities and malicious code.

October 31, 2013 DCPP PPS Open Item Summary Table Page 5 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

• The method that PG&E used (will use) to verify and validate the developer's security test discussed in the above bullet.

PG&E Response: The information to respond to this question is 10 CFR 2.390 information and was provided NSIR audit team during the August 6-8 onsite audit.

93 RJS (ALS Audit Item) 10/16/13- RJS Open  ? New RTM still does The RTM for the ALS subsystem was prepared using Westinghouse not establish traceability to the document WNA-DS-02442 to trace PG&E requirements. The IV&V team 6116-10203, and found that Westinghouse document WNA-DS-02442 does not capture all 6116-10204 Core PG&E requirements (see descriptions for Tickets #4787 and #4800). FPGA Design Please provide a description of how this issue is being resolved. Specifications.

Also A new revision PG&E Response: of 6116-00059 will need to be The 6116-00000 Diablo ALS Management Plan, revision 4, specifies an docketed due to the updated document structure that has all PG&E Customer Requirements significance of feeding directly into the 6116-00011, which will flow down into all ALS changes made Diablo sub-ordinate requirement and design specifications. Westinghouse since the original document WNA-DS-02442 has been removed from the document document was hierarchy. 6116-00000, revision 4, 6116-00011, revision 1, and the 6116- submitted.

00059 RTM, revision 0, are all reflective of this new document structure.

Documents 6116-00011, revision 1, was submitted under PGE Letter DCL- 6116-00011, ALS13-087 dated September 17, 2013. SDS, revision 1 6116-00059 ALS RTM, revision 0 They are both available in the Sharepoint

October 31, 2013 DCPP PPS Open Item Summary Table Page 6 of 18 No Src/RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date)

SDS Rev. 0 is already on docket.

[ML11277A152)

RTM to be submitted on Docket.

94 RJS The ALS Topical Report Plant Specific Action Items will be made available Open RAI59 to Westinghouse. When these are available, PG&E should prepare a document to identify how each applicable PSAI is being addressed for the PPS project. This document should include references to the LAR and supporting documents where PSAI's are addressed.

PG&E Response:

The response ALS ASAI will be submitted by 12/31/13.

99 RA ISG-04 Compliance - ALS system (Virtual Channel) Open RAI60 CSI document 6116-00054, "Diablo Canyon PPS ISG-04 Matrix",

responses to points 4 and 10 describe the use of Virtual Channel.

Furthermore, the response to point 10 states that virtual channels are described in 6002-10206, "ALS-102 FPGA Design Specification" and their use in the ALS PPS subsystem are described in 6116-10201, "DC PPS ALS-102 FPGA Requirements Specification." A copy of ALS document 6002-10206 is available in the SharePoint. This document provides general information on how a virtual channel can be used (for which implementation will be application specific). However, this information cannot be referenced in the safety evaluation because it has not been docketed. In addition, this information is too generic, and it does not describe how Virtual Channels are used in the ALS platform portion of the DCPPS replacement system.

When trying to search and trace the requirement for the use of virtual channel, the Staff could not find information in either 6116-00011, "ALS

~-------

October 31, 2013 DCPP PPS Open Item Summary Table Page 7 of 18 No Src/RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date)

PPS System Design Specification", or 6002-00010, "ALS Platform Requirements Specification". ALS document 6116-10201 only lists virtual channel in Table 6-7, which does not provide any description about use of ALS virtual channels for DC PPS replacement system. Thus, it is not clear what the original requirement is for this function, and how the design is being implemented for the DCPPS replacement system.

Please describe the ALS Virtual Channels, requirements, design specification, and how they are used for the ALS portion of the DCPPS replacement system. In addition, clarify the use of virtual channels to address points 4 and 10 of ISG-04, specifically for setpoint modification.

PG&E Response Definition: Virtual Channel is an arrangement of components, modules, and hardware logic as required to generate within one RAB Frame loop a single protection action signal when required by a generating station condition.

Information: for the Diablo PPS implementation for the ALS-1 02 there are a total of 18 virtual channels with independent sets of configuration parameters and data registers and independent management of the logic path within one RAB Frame loop period. The ALS-102 implements 18 virtual channels, each of which performs a primary control function for the Diablo Canyon DCPP PPS ALS-102 safety system. These virtual channels each support different input/output configurations. Eleven(11) of the virtual channels support current loop analog inputs, four(4) of which are filtered and converted to engineering units indicating percentages and seven(?) of which are filtered and are converted to engineering units indicating pressures. The engineering unit values are compared to a setpoint to generate partial trip outputs indicating when a safety limit is exceeded.

Two of the percentage values are exported as filtered and range corrected

October 31, 2013 DCPP PPS Open Item Summary Table Page 8 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 4-20 mA analog outputs. The remaining seven(?) virtual channels are input RTD temperature values which are filtered, range corrected using calibration data, and output as corresponding 4-20 mA analog outputs.

101 RJS Phase 2 Environmental Qualification Documentation: Open RAI61 11/1/13- RJS Waiting for Per ISG 6 Section D.5.1, the NRC staff needs to review the information additional testing to be completed.

provided to determine if the PPS equipment has been demonstrated to be able to operate within the specified environment. In order to do this the PG&E to provide staff needs to have plant specific environmental data for the plant and estimate of specifically for the cable spreading room. The ISG 6 matrix (item 2.12) completion for next states that this information has been provided in the two vendor topical call.

reports, however, these reports do not contain any plant specific data.

6/26/2013: during this call the The NRC requires plant specific environmental condition data for normal following operating conditions and the worst conditions expected during abnormal clarifications were and accident conditions where the PPS equipment is expected to perform provided:

its safety function. - Describe specific conditions for the room where the

• Range of temperature and humidity conditions that are system will be expected in the cable spreading room.

October 31, 2013 DCPP PPS Open Item Summary Table Page 9 of 18 No Src/RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date)

• Seismic data for the Diablo Canyon OBE and SSE installed .

earthquakes including frequencies and acceleration values. - Is there any restrictive

• EMI/ RFI data for areas where PPS equipment is to be requirement for this installed.

room?

-What is the The FRS section does specify the ranges of temp and humidity but for relationship seismic environment, it refers to documents DCM C-17, DCM C-25, DCM between the C-30, DCM C-28, and DCM T-1 0. system specification Note: The required information may a/so be contained in the UFSAR. The staff is requirement and reviewing design basis information in the UFSAR, however specific environmental environmental conditions applicable to the PPS equipment remain unclear to the staff conditions?

PG&E Response in progress 6/24/2013. I I

105 RJS Section 4.1 0.3.3 of the LAR -Interaction with Other Systems Open RAI62 11/1/13-RJS John H to provide In PG&E's response to this IEEE 603 Clause 6.3 criteria, there is no updated table for review. Table to be mention of the effects of using shared sensor signals between the PPS and provided in RAI control systems such as the DFWCS, or the AFW system. The NRC staff response.

recognizes that the general specifications for the replacement PPS are similar to the Eagle 21 system and that the PPS project would not 10/25/13 - RJS.

adversely impact the compliance of the system to this criteria however, it is necessary for the NRC to confirm that the criteria is still being met. Spreadsheet should include a description of what Please provide a description of the effects of sensor failure for those arbitration of systems that use common shared sensor data from the PPS, A system signals means.

level FMEA or the Hazards' Analysis may have this information.

October 31, 2013 DCPP PPS Open Item Summary Table Page 10 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response: The effects of the sensor failure for those systems that use common shared sensors data is contained in the spreadsheet 01 105 Input.

106 RA Follow up to question 69- ALS Parameter Display Open RA163 10/24/13 - RJS A Closed Conference Follow-up Question b. Call was held on 9/18 to discuss this Did Westinghouse create new ALS-102 logic for the transmission of matter.

Parameter Display data to the Maintenance Work Station or is it original logic? The licensee understood the Follow-up Question c. NRC staff's Describe the mechanism of the transmission logic (i.e., only configuration concerns and took data was added to specify the points going over the TxB communication an action to provide the NRC staff with link) and how it cannot impact the safety function logic.

a description of the virtual channel and PG&E Response: how the data transfer occurs.

Response to Follow-up Question b.

The ALS-102 common communication logic is utilized and unchanged for The NRC staff will need to examine the Diablo Canyon PPS application. The Diablo Canyon PPS application the design however, does incorporate application-specific data content.

documentation, as well as perform an Response to Follow-up Question c. audit activity to The ALS -102 TxB busses are unidirectional communication links that have confirm that these the same properties as described for the ALS-601 Communication Board, functions are in fact except for the location of the communication hardware. The ALS-1 02 independent from the safety functions communication hardware is located within the CLB FPGA, but is in the ALS-102.

October 31, 2013 DCPP PPS Open Item Summary Table Page 11 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) implemented with independent logic circuits. The communication I logic circuit does not interact with the safety function logic circuit; rather it is non-intrusively monitoring the safety function logic circuit.

A failure of the TxB communication circuit cannot prevent the performance of the safety function.

The ALS-102's 2 TxB communication channels, as specified in 6002-10203/10204, are identical in construction to an ALS-601 channel (6002-I I

60103/601 04), but have limited capability. The configuration settings in I

NVM consist of per-channel control settings for channel enable, baud rate, parity enable, parity type (even, odd), and number of stop bits (1, 2). The ALS-1 02 TxB communication channels, unlike the ALS-601 channels, do not have control settings for direction (RX, TX), transmit type (byte, packet), clone select, and clone enable. The ALS-102 TxB communications channels therefore operate in transmit-only, byte mode, I with cloning disabled. Each channel is provided with an up-to 256x1 0-byte FIFO memory for buffering communication data passed between the register interface and the external communication interface. Transmit channels pass data from their channel data register to the channel's communication interface outputs buffering the data through the FIFO memory and providing channel integrity verification through the otherwise unused receive interface. The RTL that implements the communication channels is part of the platform and is common across all applications of the ALS-1 02 that use the TxB communications interface. The project specific data set, as defined in 6116-00100 - Diablo Canyon Units 1 and 2 Process Protection System ALS-ASU Communication Protocol, is gathered by and written from the ALS-102's CLB into the Communication Channel Interface module's Register Interface. This is a one way interface. The I Register Transfer Level (RTL) that performs the data gathering and writing is a project specific implementation (6116-1 0203 - Diablo Canyon PPS ALS-102 Core A FPGA Design Specification and 6116-10204- Diablo Canyon PPS ALS-1 02 Core B FPGA Design Specification). ---------- - - - - - - - - - - - - - - - - - - - - - - -

October 31, 2013 DCPP PPS Open Item Summary Table Page 12 of 18 No Src!RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

In Core A, the Sequencer marshals the data defined in Table 3-1 of 6116-00100 to the communication channel interface from RAM for NVM data, EU Registers for processed input channel data in Engineering Units, and Status Registers for channel health and status. The marshalling is governed by a Finite State Machine (FSM) to control a MUX of all the data sources. It is independent of the FSM that governs the safety function of the system (Main FSM, described in Section 8.5 of 6116-1 0203). The TxB Stream FSM is described in Section 6.12 of 6116-10203. Figure 6.4-1 of 6116-10203 is a bock diagram of the CLB depicting in part this entire mechanism. Per 6002-10203 once in the registers of the Communication Channel Interface module, the data is pushed into FIFO memory (Section 3.6.3) by the FIFO communication module (Section 3.6.4) as it services write requests from the communication channel transmit interface (Section 3.6.2) and popped by the transmit communication module (Section 3.8) for transmission on the external transmit output. The receive communication module is used only for a self checking comparison of the channel transmission. The FSM described in Section 3.8.4 governs the data transmission.

In Core B, the Sequencer marshals the data defined in Table 3-1 of 6116-00100 to the communication channel interface through the Channel Logic module (described in Section 3.3.2.4 of 6116-1 0204). It does this by using RAM Registers described in Section 4.4.10 of 6116-10204 to store Virtual Channel and Slave 10 data. RAM is implemented using two dual-port RAMs. A Table in RTL (described in Section 4.4.15.1 of6116-10204) references the data and organizes it into a table consistent with the data content, format, and order specifications for communications output as defined in Appendix A of 6116-00100. A RAM request reads Virtual Channel Bank data and ALS Slave 10 registers. Then the Table sends this data to the TxB port. This function is performed through an RTL state machine described in Section 4.4.15.2 of 6116-10204 which periodically

October 31, 2013 DCPP PPS Open Item Summary Table Page 13 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) traverses the Table from top to bottom presenting the data contents of each row to the TxB communications channels for transmission. It is independent of the FSM that governs the safety function of the system described in Section 4.4.11.3 of 6116-10204. Data is exported for transmission by using the internal RAB bus to write to the output registers in the Channel Interface module. This interface is documented in the "6002-1 0206- ALS-1 02 FPGA Design Specification". The communication channels, as described in Section 7.3.3.2 of 6002-10204) are identical in construction to an ALS-601 channel (described in 6002-601 04) but are configured to operate as transmit-only, byte mode, with cloning disabled.

Per 6002-60104 once in the registers of the Communication Channel Interface module, the data is pushed into FIFO memory (Section 4.4.2.1 0) by the Write Interface (Section 4.4.2.5) as it services write requests from the Register Interface (Section 4.4.4) and popped by the Transmit Interface (Section 4.4.2.8) for transmission on the external transmit output. The Receiver Interface is used in transmit channels for external channel error checking only. The FSM described in Section 4.4.2.8.1 of 6002-60104 governs the data transmission.

The 6116-00100 document includes descriptions of the protocol used by the TxB1ffxB2 data stream, the contents of the data at the byte level, the format of the data included in the data stream.

An updated proprietary response based on closed conference call held on 9/18 has been put on the sharepoint site.

October 31, 2013 DCPP PPS Open Item Summary Table Page 14 of 18 No Src/RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date) 108 RJS Phase 2 Document Status Assessment: Open 11/1/13-RJS Tricon Reliability The staff performed an assessment of the phase 2 document matrix and Analysis document to be put on would like to discuss several items in the table.

sharepoint.

Schedule for We recognize that some of these items will not be available until after the submittal of all FAT is performed, however, there are several other phase 2 documents documents to be that should be available now. We have identified the following documents provided in two that should not require completion of the design or FAT that have not yet weeks.

been submitted. We will need a revised schedule for submittal of these documents by November 30th in order for us to proceed with the safety evaluation.

WSR's for phases of development beyond Planning/Req. (Both Vendors)

Tricon 993754-1-819, Reliability Analysis Tricon 993754-1-811, Project specific platform FMEA (IEEE 352)

PG&E System level FMEA Tricon 993754-1-812, Validation Test Specification (Integrated System)

Tricon 993754-1-868, Software Verification Test Plan PG&E Response:

PG&E is working with each Vendor to determine the submittal dates for the remaining Phase 2 documents not related to FAT testing that still need to be submitted. The Tricon 993754-1-819, Reliability Analysis has just been completed and is expected to be submitted by 11/30/13.

October 31, 2013 DCPP PPS Open Item Summary Table Page 15 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 109 RJS Audit Preparation: Open No RAI 11/1/13- RJS 6116-00050 to be In preparation for the follow-up audits at lnvensys and at Westinghouse, put on sharepoint.

Tricon doc will be the staff would like to have access to the configuration status accounting made available documents. Can the following documents be put onto the share point site? prior to second audit.

1. 6116-00050, Diablo Canyon PPS Configuration Status Accounting,

2. Triconex Master Configuration List PG&E Response:

110 RJS ALS Defined "Safe States" Open RAI64 11/1/13-RJS Discussed during Part a. 10/31 conference call. Asked Section 4.2.5.2 of the LAR (Page 64) states that "the redundancy checker licensee to compares outputs and critical internal states from the two cores and will reconsider the part drive the board to a safe state if the outputs of the cores do not agree." b response. The NRC does not The staff reviewed the FRS and IRS documents to determine what the consider the fail "safe state" is for any given ALS function, but was unable to identify safe states of specifications that define what these safe states are. Please provide a list analog signals to be unpredictable of "Safe States" for each of the ALS functions below and describe how since they are requirements for these states are established in the system design. If the defined in the system safe states are not defined by PG&E, then please explain the basis FPGA specification.

used by the vendor to determine what the safe states are for each ALS function. See Audit Requirement 2.d.

ALS Function:

• Low RCS Flow Reactor Trip -

- 10/24/13 - RJS I

October 31, 2013 DCPP PPS Open Item Summary Table Page 16 of 18 No Src!RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Pressurizer Pressure High Reactor Trip-Pressurizer Pressure Low Reactor Trip -

Pressurizer Pressure Low-Low ESF - -- have determined that the fail safe states are defined in the FPGA

• Pressurizer Pressure Low P-11 ESF Block-- specifications,

• Containment Pressure High ESF - however, it is still

• Containment Pressure High High-High ESF - . . not clear how these i

determinations

• PORV Actuation on High PZR Pressure -

were made if not derived from Part b. licensee input (i.e. I Please explain what the "safe states" are for the ALS analog output signals. FRS and IRS).

If a redundancy checker detects a discrepancy between the two cores, FRS 3.2.1.16 then do these analog outputs fail to some pre-determined value or do they defines Failure fail as-is? The FRS or IRS documents do not seem to specify this level of Mode system functionality. Requirements.

• RCS Narrow Range Temperature Output--

• Pressurizer Vapor Space Temperature Output--

• RCS Wide Range Temperature Output--

PG&E Response:

Part A: Additional information is being provided in the Functional Requirements Specification (Rev. 9), Sections 3.2.1.16.3 thru 3.2.1.16.6 that provide the requirements.

For Deenergize to Trip comparator outputs (which includes all except Containment Pressure High-High ESF):

[3.2.1.16.3] Deenergize to Trip comparator outputs shall be designed such that upon loss of electrical power, the resultant output is the tripped (deenergized) condition.

[3.2.1.16.5] Detectable failures that could result in loss of ability to perform a required safety function should result in affected Deenergize to Trip -*-*---

October 31, 2013 DCPP PPS Open Item Summary Table Page 17 of 18 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) comparators being placed in the tripped (deenergized) condition. This requirement does not apply to functions that are out of service.

For the Energize to Trip Comparator Functions (Containment Pressure High-High ESF):

[3.2.1.16.4] Energize to Trip comparator outputs shall be designed such that upon loss of electrical power, the resultant output is the non-tripped (deenergized) condition.

[3.2.1.16.6] Detectable failures that could result in loss of ability to perform a required safety function should result in affected Energize to Trip comparators being placed in the non-tripped (deenergized) condition. This requirement does not apply to functions that are out of service.

Note that 3.2.1.16.5 and 3.2.1.16.6 are "should" and not "shall" since the type of failure is undefined. Some failures could result in the inability of the affected system to place the output in the desired mode.

Part B: The Functional Requirements Specification does not specify any particular failure mode for analog outputs. If the failure is a loss of power, they will fail low. Other failures are unpredictable making it difficult to assign a fail state that would be applicable in all cases.

111 RJS ALS Manual Alarm Bypass Function - New RAI65 11/1/13- RJS This item was discussed In the FPGA Requirements Specification (page 4-14) R4082 states that the at the 10/31 conference call.

Bypass alarm logic will be bypassed when the channels logic enable is not set. The rational provided is that the trip command is not being calculated This will require an so there would presumably be no need to actuate the alarm. This RAI in order to requirement seems to contradict requirement R4130 as well as Clause provide clarification 5.8.3 of IEEE 603. to the rational for maintaining this Please provide an explanation of the benefit of providing this means of bypass of bypass alarm function defeating this alarm? The staff feels that operators should be aware of the when channel is bypass status of each safety channel regardless of whether the safety

October31, 2013 DCPP PPS Open Item Summary Table Page 18 of 18 No Src/RI Issue Description P&GE response: Status RAJ No. RAJ Comments (Date Sent) Response (Due Date) function is operable or not. The staff is also concerned that situations not used. Also could exist when the operator could be misled into believing that a channel need clarification is not bypassed (because of the cleared alarm) when in fact the channel that bypass alarm will never be bypass switch is in bypass.

disabled for an active channel and PG&E Response: will always provide alarm when in bypass condition.

10/28/13 - RJS -

This will be an Audit Item. See Audit Requirement 2.g.

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 15)

Step Planned Task Actual Date Date 1 Oct. 26, PG&E LAR Submittal for NRC approval. Submittal includes all Oct. 26, 2011 Phase 1 documents needed to be docketed prior to acceptance 2011 for review per ISG-06, "Digital Licensing."

2 Jan. 12, Acceptance Review complete. LAR accepted for detailed Jan. 12, 2012 technical review. Several issues identified that could present 2012 challenges for the staff to complete its review. Scheduled public meeting with PG&E to discuss the results of the acceptance review.

3 Jan. 13, Acceptance letter sent to licensee. Jan. 13, 2012 2012 4 Jan. 18, Conduct Public Meeting to discuss staff's findings during the LAR Jan. 18, 2012 acceptance review. Staff proceeds with LAR technical review. 2012 5 March 18, PG&E provides information requested in acceptance letter. Initiate April2, 2012 bi-weekly telecoms with PG&E and its contractors to discuss 2012 potential RAI issues. Open Items spreadsheet will be maintained by NRC to document staff issues and planned licensee responses.

6 May 30, PG&E provides partial set of Phase 2 documentation per June 6, 2012 commitments made in LAR. 2012*

• PG&E provided a subset of the Phase 2 documents on June 61h See step 14 which is a milestone for submittal of all remaining Phase 2 documents.

7 July First RAI sent to PG&E on Phase 1 documentation (e.g., August 07, 2012 specifications, plans, and equipment qualification). Continue 2012 review of the application. Request 45 day response.

(ML12208A364) 8 June SER for Tricon V1 0 Platform issued final. This platform becomes May 15, 2012 a Tier 1 review of the LAR. (ML12146A010) 2012 8.1 June SER for Westinghouse ALS Platform issued final. This platform 2013 becomes a Tier 1 review of the LAR.

9 September Receive answers to first RAI. (Ml 12256A308) Sept. 11, 2012 2012 10 November Audit trip to lnvensys facility for thread audit; audit the life cycle Nov. 13-2012 planning documents and outputs, with particular emphases on 16, 2012 verification and validation, configuration management, quality Assurance, software safety, the lnvensys application software development procedures, and application software program design.

10.1 December Audit report provided to PG&E. February 2012 21,2013 11 February Audit trip to Westinghouse/CSI facility for thread audit; audit the February 2013 life cycle planning documents and outputs, with particular 21, 2013 emphases on verification and validation, configuration management, quality Assurance, software safe'ty, the W/ALS Page 1 of 3 Enclosurt" 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 15) application software development procedures, and PPS ALS application software program design.

11.1 April Audit report provided to PG&E and its contractor. April11, 2013 2013 12 March Second RAI Letter to PG&E on Phase 1 documentation March 20, 2013 2013 12.1 April Receive responses to Second set of RAI's May 9, 2013 2013 13 April LAR revision and all supporting documentation associated with Apri130, 2013 the change in ALS and Tricon V1 0 workstation designs for the 2013 PPS are submitted.

14 August NSIR Cyber Security audit at Diablo Canyon site. August 8 2013 2013 14.1 October Cyber Security Audit Report provided to licensee October 4, 2013 EICB Letter sent to PM 9/2/13 2013 NSIR Report- Non-Public ML13232A249 Redacted ML13232A258 15 December PG&E provides remaining set of Phase 2 documentation per 2013 commitments made in LAR. To include ALS PSAI related documents. See step 6 for initial submittal of Phase 2 documents.

16 December All Documentation for DCPP W/CSI ALS and IOM/Triconex V1 0 2013 processors applicable to the DCPP PPS LAR are submitted.

17 TBD Follow-up audit trip to lnvensys facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the lnvensys application software development procedures, and application software program design.

17.1 TBD Second lnvensys audit report provided to PG&E.

18 November Third RAI Letter to PG&E on Phase 2 documentation 2013 (e.g., FMEA, safety analysis, RTM, EQ test results, setpoint calculations.)

18.1 January Receive responses to third set of RAI's.

2014 19 December Audit trip to W/ALS facilities for additional thread audit items; audit 2013 hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

Page 2 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 15) 19.1 January Audit report provided to PG&E.

2014 20 TBD (Optional) Audit trip to lnvensys facilities for additional thread audit items; audit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

21 TBD (Optional) Audit trip to DCPP test facilities for additional thread audit items.

February 18 I 22 Presentation to ACRS Subcommittee/Full ACRS Committee on March 2014 DCPP PPS LAR Safety Evaluation.

23 March 2014 Complete draft technical SER for management review and approval.

24 March 2014 Issue completed draft technical SER to DORL 25 March 2014 Draft SER sent it to PG&E, lnvensys, and W/CSI to perform technical review and ensure no proprietary information was included.

26 April 2014 Receive comments from PG&E and its contractors on draft SER proprietary review.

27 May 2014 Approved License Amendment issued to PG&E 28 -September Inspection trip to DCPP for PPS Site Acceptance Testing (SAT),

2014 training and other preparation for installing the new system. To be (tentative) coordinated with regional visit. Date based on receipt of new PPS system at the site in preparation for September 2015 Unit 1 Refueling Outage (1 R19).

29 -September Inspection trip to DCPP for PPS installation tests, training and 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 Unit 1 Refueling Outa_g_e (1 R19).

Page 3 of 3

Please direct any inquiries to me at 301-415-1530 or at Jennivine.Rankin@nrc.gov.

Ira/

Jennivine K. Rankin, Project Manager Plant Licensing IV-2 and Decommissioning Transition Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. Staff Identified Issues That are Open

3. Project Plan cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsNrrLAJBurkhardt Resource RStattel, NRR/DE/EICB LPL4-2 Reading RidsNrrPMDiabloCanyon Resource RAivarado, NRR/DE/EICB RidsAcrsAcnw_MaiiCTR Resource RidsNsirDsp Resource WMaier, RIV RidsNrrDeEicb Resource RidsRgn4MaiiCenter Resource SMakor, RIV/DRS/EB2 RidsNrrDorl Resource BRini, EDO RIV RidsNrrDorllpl4-2 Resource TWertz, NRR ADAMS A ccess1on NOS. M ee f mg NOICe f ML13290A227 ; Meef mg S ummary ML13329A417* v1a . ema1"I OFFICE NRRIDORULPL4-2/PM NRRIDORULPL4-2/LA NRRIDE/EICB NRRIDORULPL4-2/BC NRRIDORULPL4-2/PM NAME JRankin JBurkhardt RStattel

• DBroaddus (BBenney for) JRankin DATE 12/4/13 12/3/13 11/13/13 12/30/13 12/30/13 OFFICIAL RECORD COPY